Tag Archives: Threats

Avira

Adult FriendFinder & Co.: Dangerous Cyber Liaisons

Let me start out by saying that this post is not about whether dating websites/apps are good or bad. I’m not qualified to make that call. But if you’re using them, you should understand the risks. And as your reward for reading (and hopefully sharing this post), I’ve listed at the bottom Tinder’s best – and most dangerous pickup lines… So let’s get started – with a quiz!

What do Adult FriendFinder, CupidMedia, eHarmony and Tinder have in common?

Yes, they all regularly lead to matches made in cyber heaven (and no doubt, hellish heartbreaks), but that’s not the point: they all display(ed) security vulnerabilities. Let’s walk through them one-by-one.

1. Putting yourself out there… And all your data too

Adult FriendFinder was just hacked. Happens to companies all the time you say? Fair enough, but what is remarkable here is the quality of leaked data: 3.5 million gorgeous profile pics and sexy alias’ – along with names, emails, zip codes, IP addresses, passwords and sexual preferences. In other words, the perfect cocktail needed for targeted spam and identity theft.

TIPS:

  1. Create a new email address dedicated to the dating website.
  2. Use a nickname or alias instead of your full name.
  3. Create a unique and complex password for that platform (back in 2012, eHarmony accounts with the glorious password – “password”, were compromised).
  4. If twitterpated makes you forgetful, use a password manager to create and store these passwords for you.

2. I know where you hang out

Tinder is a very popular dating app, which is premised on selecting profiles of people who are located close to you (very popular with Olympians at Sochi…). Once both parties ‘like’ each other’s profiles, they can start chatting.

Back in 2014, a vulnerability was identified that enabled hackers to pinpoint users’ exact location in real-time. This facilitated stalking and opened the door (quite literally) to burglaries, knowing that the user was not at home.

Although this vulnerability has since been fixed, a recent study by IBM identified 26 out of 41 dating apps on Android that had “medium or high security vulnerabilities”. These apps tend to request excessive permissions and run up expensive charges…

TIPS:

  1. Although the names of unsafe apps were not divulged, IBM did say that Match, OkCupid and Tinder were not on the “blacklist”…
  2. Always keep your apps up-to-date to reduce the chances of falling prey to security vulnerabilities.

I can see you… Through your camera and webcam…

Remember Blackshades – that creepy Trojan that gave hackers access to webcams (and was used by a sextortionist to prey on Miss Teen USA)? Like most chatting platforms, dating websites and apps are popular avenues for distributing malware. After all, an innocuous-looking link, promising a revealing picture, can just as easily open a harmful website or file. To paraphrase the late Robin Williams, we were given a brain and nether regions but only enough blood to run one at a time.

TIPS:

  1. Use common sense: if an unknown user is offering to share revealing pictures, pass.
  2. Use an antivirus on your devices. I also recommend you use an app that shows you what permissions your mobile apps are getting. Avira’s free Android app includes both these functionalities and can be found on Google Play.

 

As promised… Tinder’s Most Dangerous Pickup Lines…*

  1. I know this profile’s fake, but can I get the name of the model you used?
  2. Going to undress… want to watch on webcam?
  3. Credit card is to prove your age… Can’t show stuff to minors…
  4. I don’t have any pics on my phone, but here’s one I have in email, answer me on text, not here.
  5. I’m still recovering from last night with this iPhone game. Play with me and I’ll give you my number.

* Disclosure: explicit sexual content was removed from the pick-up lines.

The post Adult FriendFinder & Co.: Dangerous Cyber Liaisons appeared first on Avira Blog.

Avira

URL-Spoofing: Apple Safari Can Be Manipulated Easily

What it’s about

All you need to do so is a bit of Javascript. With just a few lines of it Safari users can be deceived by what’s commonly known as URL-spoofing: During such an attack, a computer user innocently visits a web site and sees a familiar URL in the address bar such as http://www.avira.com but is, in reality, sending information to an entirely different location that would typically be monitored by a cybercriminal.

The security issue was discovered by David Leo, who put together a proof-of-concept for it. When clicking on OK a new website is being loaded. While the address bar tells you that you are visiting dailymail.co.uk the actual page is definitely a different one.

The URL-spoofing itself is done with just a few lines of code:

function f()
{
location=”http://www.dailymail.co.uk/home/index.html?random=”+Math.random();
}
setInterval(“f()”,10);

The last part, setInterval(“f()”,10); , makes sure that the address bar is reloaded ever 10 milliseconds (so you might as well say, that it’s kind of a DDoS attack, too), just before the browser can get the real page and so the user sees the “real” web address instead of the fake one. This causes the spoofed URL to flicker; sometimes it’s even possible to briefly see the actual URL.

What you can do

Your first step should always be to make sure that your browser is up to date so that security updates can be installed once available. In addition to that open up the Safari settings, go to the advanced tab, and choose “Show full website address”. The browser will then show the results of MathRandom in the address bar.

Alternatively you could also just use another browser for the time being: The code will not work in Google Chrome and Mozilla Firefox.

The post URL-Spoofing: Apple Safari Can Be Manipulated Easily appeared first on Avira Blog.

Avira

LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers

What it’s all about

The weaknesses that allow the so called LogJam Attack apparently have to do with how Diffie-Hellman key exchange has been deployed. Said key is a popular cryptographic algorithm that allows internet protocols to agree on a shared key and negotiate a secure connection. Since it is fundamental to many protocols like HTTPS, SSH, IPsec and SMTPS it is relatively wide spread: about 8.4% of the top one million websites and an even bigger part of servers using IPv4 are affected by LogJam.

“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections”, the team state.

According to the researchers LogJam can be used to downgrade connections to 80% of TLS DHE EXPORT servers. They also estimates that a skilled team can break a 768-bit prime and that  – due to the available resources – a state-sponsored campaign could break the common 1024-bit prime.

This is especially scary since they estimate that a successful 1024-bit prime attack would allow for eavesdropping on up to 18% of the top one million HTTPS domains.

Their research paper goes even further: “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?” How about that! It definitely opens up room for a lot of discussions.

As with FREAK, the vulnerability is actually quite old already. “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the released paper reads.

What you can do

Luckily the team has already been in touch with most of the browser developers which means that there are either already fixes available (namely for the Internet Explorer) or will be very very soon.

Make sure you have the most recent version of your web browser installed: Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack. If you run a web or mail server you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group.

More information on LogJam can be found on the dedicated page.

The post LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers appeared first on Avira Blog.

Avira

LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers

What it’s all about

The weaknesses that allow the so called LogJam Attack apparently have to do with how Diffie-Hellman key exchange has been deployed. Said key is a popular cryptographic algorithm that allows internet protocols to agree on a shared key and negotiate a secure connection. Since it is fundamental to many protocols like HTTPS, SSH, IPsec and SMTPS it is relatively wide spread: about 8.4% of the top one million websites and an even bigger part of servers using IPv4 are affected by LogJam.

“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections”, the team state.

According to the researchers LogJam can be used to downgrade connections to 80% of TLS DHE EXPORT servers. They also estimates that a skilled team can break a 768-bit prime and that  – due to the available resources – a state-sponsored campaign could break the common 1024-bit prime.

This is especially scary since they estimate that a successful 1024-bit prime attack would allow for eavesdropping on up to 18% of the top one million HTTPS domains.

Their research paper goes even further: “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?” How about that! It definitely opens up room for a lot of discussions.

As with FREAK, the vulnerability is actually quite old already. “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the released paper reads.

What you can do

Luckily the team has already been in touch with most of the browser developers which means that there are either already fixes available (namely for the Internet Explorer) or will be very very soon.

Make sure you have the most recent version of your web browser installed: Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack. If you run a web or mail server you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group.

More information on LogJam can be found on the dedicated page.

The post LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers appeared first on Avira Blog.

Avira

Some GTA V Mods Serve You Malware

What it’s all about

aboutseven, a newly registered member on the GTA forums, was the first one to notice that all was not well with the processes running on his computer. “I came across something pretty startling today after reviewing my processes that were running on my computer. I tend to do this a lot out of paranoia, just checking that I don’t have stuff running in the background that I don’t want running, or if I ever possibly run into something that is out of the ordinary that could possibly be malware. I happened to notice that the Windows C# compiler running the background as csc.exe”, he wrote in his post.

After looking into it some more he dredged up a file called Fade.exe, which hijacked a part of the registry in order to being launched at boot. Some more testing revealed that a GTA mod named Angry Planes was to be held responsible for the malware landing on his system. Since the discovery, other players are claiming they’re finding similar harmful files on other mods as well, such as No Clip.

What it does

So, why exactly is Fade.exe such a problem? To answer the question, let’s just take a look at the modules that are loaded with the mod, according to another forum user named ckck:

  • “Facebook spam/credential stealing module
  • Twitch spam/credential stealing module
  • com spam/credential stealing module
  • A Steam spamming module
  • A Steam module that evaluates the items in your inventory and their value based on current market value
  • A Keylogger module that logs individual button presses in an XML like format, it also includes information about context switches (switching from one app/window to another)
  • A UDP flooding module
  • I hadn’t deciphered and didn’t see in action.”

What you can do

In case you have one of the mods installed, make sure to scan your computer with your AV and remove the malicious files. Keeping in mind that Fade.exe also sniffs around your Facebook, Steam, and Twitch accounts, make sure to change all your passwords as well.

The post Some GTA V Mods Serve You Malware appeared first on Avira Blog.

Avira

Mass-Scale Abuse of Routers Due to Lax Security

The reason why botnets like that can even exist? According to a study by Incapsula it’s simple negligence – by ISPs, vendors and users alike.

The attacks were first spotted last year in December and seem to be ongoing ever since. More than 40,000 infected routers from 1,600 ISPs all over the world have been documented. When not used to execute DDoS (distributed denial of service) attacks the routers do something rather scary: In their idle time they use their resources to scan for additional routers to recruit!

“Our analysis reveals that miscreants are using their botnet resources to scan for additional routers to add to their “flock.” They do so by executing shell scripts, searching for devices having open SSH ports which can be accessed using default credentials.

Facilitating the infiltration, all of these under-secured routers are clustered in the IP neighborhoods of specific ISPs, which provide them in bulk to end users. For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective. Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms”, the study says.

The researchers believe that the routers were not hacked by means of vulnerabilities in the firmware but were hijacked due to other issues: all units are remotely accessible via HTTP and SSH on their default ports and nearly all of them are configured with vendor-provided default login credentials.

This combination invites trouble and DDoS attacks are only one of the possible threats resulting from it. Attackers could just as well:

  • eavesdrop on all communication.
  • perform man-in-the-middle (MITM) attacks (e.g., DNS poisoning).
  • hijack cookies.
  • gain access to local network devices (e.g., CCTV cameras).

What can you do?

Make sure to always change the default login credentials. That’s something every router owner should do from the start. You should also think twice before enabling remote access to your router management interface.

The post Mass-Scale Abuse of Routers Due to Lax Security appeared first on Avira Blog.